Re: Debian PHP upgrade
Thank you very much for your response.
On 2015/03/25, 4:28 PM, "Philip Hands" <firstname.lastname@example.org> wrote:
>Andile Ntebe <ANtebe@Acceleration.biz> writes:
>> Im not sure why Gareth said PHP, I’m referring to Apache 2.2.22.
>> The below vulnerabilities seem to affect this version:
>You seem not to have noticed that Debian fixes security issues in stable
>versions of our packages, so you're comparing the version that Apache
>would tell you is vulnerable without noticing the faxes that have been
>applied since then by the Debian security team.
>I suggest that you take your list of CVEs and see if any of them are not
>mentioned as having been fixed in the Debian changelog:
>(I'm guessing that if you've been upgrading as hard as you can, and
>still have 2.2.22 then you're using Debian 7, a.k.a "wheezy" -- look in
>/etc/debian_version where you should see "7.8")
>Anyway, you need to note that the Debian version of Apache that you are
>running is not 2.2.22, but rather 2.2.22-13+deb7u4, so that is the 13th
>version of the package that's been built by the package maintainer, many
>of which added fixed for CVEs, taking us to version 2.2.22-13, followed
>by four more uploads that backport fixes to Debian 7 (deb7u1..deb7u4)
>each of which adds more CVE fixes.
>Upgrading to the latest version of something to fix security bugs
>carries with it the potential to introduce new unexpected behaviours,
>and that may result in things breaking, which is why we backport
>security fixes instead of just asking everyone to upgrade and hoping for
>> Is there a way for us to update to the latest version?
>There certainly is -- you can choose to run our testing or unstable
>branches, rather than stable, but hopefully now you know why you should
>not be fretting about this.
>|)| Philip Hands [+44 (0)20 8530 9560] HANDS.COM Ltd.
>|-| http://www.hands.com/ http://ftp.uk.debian.org/
>|(| Hugo-Klemm-Strasse 34, 21075 Hamburg, GERMANY